Despite the fact that open source saves companies money, is more secure and performs better in some instances than proprietary software, it does present risks. The most common, of course, is a company's legal risk if it is not compliant with the licenses under which the software is released.
The far larger risk is that there is no visibility into the makeup of a significant portion of the company's IT infrastructure. How can you confidently plan for SLA commitments when you're not sure of what software you're running, its maturity, supportability, and so on? Furthermore, as a CIO, you face the very real potential of being unable to adequately map out your workforce skills planning, since you are unaware of what development and operations commitments accompany these invisible software implementations. Finally, it's hard to attest to important regulatory requirements (if you're subject to regulations like recoverability and so on, as financial institutions are), when you don't know what will need to be recovered.
Despite what a typical CIO's knee-jerk reaction might be, Golden says banning open source is out of the question at this point. It is too prevalent in most enterprises. He points to Gartner's prediction that even 80 percent of commercial software will include open source by 2012.
Instead, he says, CIOs should familiarize themselves with the open source that's already in their networks. (Participating in the Open Source Census would be a good way of doing so.) And then they should establish policies and procedures for open source implementation, use and governance.